From 20b09d3bda2584b85ba0a99fd6d95b3e40097b4f Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Wed, 8 Apr 2015 15:08:14 +0200 Subject: [PATCH 1/6] Inherit from Icinga\Web\Controller rather than from Icinga\Web\Controller\ModuleActionController --- modules/doc/library/Doc/DocController.php | 4 ++-- .../monitoring/application/controllers/ConfigController.php | 4 ++-- modules/monitoring/library/Monitoring/Controller.php | 4 ++-- modules/setup/application/controllers/IndexController.php | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/doc/library/Doc/DocController.php b/modules/doc/library/Doc/DocController.php index de02a3bae..36abe6b10 100644 --- a/modules/doc/library/Doc/DocController.php +++ b/modules/doc/library/Doc/DocController.php @@ -5,9 +5,9 @@ namespace Icinga\Module\Doc; use Icinga\Module\Doc\Renderer\DocSectionRenderer; use Icinga\Module\Doc\Renderer\DocTocRenderer; -use Icinga\Web\Controller\ModuleActionController; +use Icinga\Web\Controller; -class DocController extends ModuleActionController +class DocController extends Controller { /** * Render a chapter diff --git a/modules/monitoring/application/controllers/ConfigController.php b/modules/monitoring/application/controllers/ConfigController.php index 2571b071e..33bf142f3 100644 --- a/modules/monitoring/application/controllers/ConfigController.php +++ b/modules/monitoring/application/controllers/ConfigController.php @@ -4,7 +4,7 @@ use Icinga\Web\Notification; use Icinga\Data\ResourceFactory; use Icinga\Forms\ConfirmRemovalForm; -use Icinga\Web\Controller\ModuleActionController; +use Icinga\Web\Controller; use Icinga\Module\Monitoring\Forms\Config\BackendConfigForm; use Icinga\Module\Monitoring\Forms\Config\InstanceConfigForm; use Icinga\Module\Monitoring\Forms\Config\SecurityConfigForm; @@ -12,7 +12,7 @@ use Icinga\Module\Monitoring\Forms\Config\SecurityConfigForm; /** * Configuration controller for editing monitoring resources */ -class Monitoring_ConfigController extends ModuleActionController +class Monitoring_ConfigController extends Controller { /** * Display a list of available backends and instances diff --git a/modules/monitoring/library/Monitoring/Controller.php b/modules/monitoring/library/Monitoring/Controller.php index 3aa893502..bf69182d7 100644 --- a/modules/monitoring/library/Monitoring/Controller.php +++ b/modules/monitoring/library/Monitoring/Controller.php @@ -6,13 +6,13 @@ namespace Icinga\Module\Monitoring; use Icinga\Data\Filter\Filter; use Icinga\Data\Filterable; use Icinga\File\Csv; -use Icinga\Web\Controller\ModuleActionController; +use Icinga\Web\Controller as IcingaWebController; use Icinga\Web\Url; /** * Base class for all monitoring action controller */ -class Controller extends ModuleActionController +class Controller extends IcingaWebController { /** * The backend used for this controller diff --git a/modules/setup/application/controllers/IndexController.php b/modules/setup/application/controllers/IndexController.php index b83c9f94e..eec43a737 100644 --- a/modules/setup/application/controllers/IndexController.php +++ b/modules/setup/application/controllers/IndexController.php @@ -1,10 +1,10 @@ Date: Wed, 8 Apr 2015 16:48:35 +0200 Subject: [PATCH 2/6] Move setupSortControl() from Monitoring_ListController to Icinga\Web\Controller --- library/Icinga/Web/Controller.php | 15 +++++++++++++++ .../application/controllers/ListController.php | 16 ---------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/library/Icinga/Web/Controller.php b/library/Icinga/Web/Controller.php index 8b6f8ca01..e7a1d51f5 100644 --- a/library/Icinga/Web/Controller.php +++ b/library/Icinga/Web/Controller.php @@ -4,6 +4,7 @@ namespace Icinga\Web; use Icinga\Web\Controller\ModuleActionController; +use Icinga\Web\Widget\SortBox; /** * This is the controller all modules should inherit from @@ -12,4 +13,18 @@ use Icinga\Web\Controller\ModuleActionController; */ class Controller extends ModuleActionController { + /** + * Create a sort control box at the 'sortControl' view parameter + * + * @param array $columns An array containing the sort columns, with the + * submit value as the key and the label as the value + */ + protected function setupSortControl(array $columns) + { + $req = $this->getRequest(); + $this->view->sortControl = SortBox::create( + 'sortbox-' . $req->getActionName(), + $columns + )->applyRequest($req); + } } diff --git a/modules/monitoring/application/controllers/ListController.php b/modules/monitoring/application/controllers/ListController.php index 41e27ec45..4ef93a47a 100644 --- a/modules/monitoring/application/controllers/ListController.php +++ b/modules/monitoring/application/controllers/ListController.php @@ -9,7 +9,6 @@ use Icinga\Web\Url; use Icinga\Web\Widget\Tabextension\DashboardAction; use Icinga\Web\Widget\Tabextension\OutputFormat; use Icinga\Web\Widget\Tabs; -use Icinga\Web\Widget\SortBox; use Icinga\Data\Filter\Filter; use Icinga\Web\Widget; use Icinga\Module\Monitoring\Forms\StatehistoryForm; @@ -694,21 +693,6 @@ class Monitoring_ListController extends Controller return $columns; } - /** - * Create a sort control box at the 'sortControl' view parameter - * - * @param array $columns An array containing the sort columns, with the - * submit value as the key and the value as the label - */ - private function setupSortControl(array $columns) - { - $this->view->sortControl = new SortBox( - 'sortbox-' . $this->getRequest()->getActionName(), - $columns - ); - $this->view->sortControl->applyRequest($this->getRequest()); - } - protected function addTitleTab($action, $title, $tip) { $this->getTabs()->add($action, array( From 5c61405a9a1a7b2a055f99fd09f33faade87b550 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Mon, 13 Apr 2015 10:27:10 +0200 Subject: [PATCH 3/6] Revert "Setup: Fix that the mysql privilege checks are not working in the wizard" This reverts commit 1835479738ab1a45a0892c6b3dd301d27059e58e. Operator precedence is a damn useful thing, if known by the developer... --- modules/setup/library/Setup/Utils/DbTool.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setup/library/Setup/Utils/DbTool.php b/modules/setup/library/Setup/Utils/DbTool.php index 3dd450d9c..b08f42bf8 100644 --- a/modules/setup/library/Setup/Utils/DbTool.php +++ b/modules/setup/library/Setup/Utils/DbTool.php @@ -691,7 +691,7 @@ EOD; . ' AND ' . $privilegeCondition . ($requireGrants ? " AND is_grantable = 'YES'" : ''), array(':grantee' => $grantee) ); - return $query->fetchObject()->matches === count($mysqlPrivileges); + return (int) $query->fetchObject()->matches === count($mysqlPrivileges); } /** From d038a2795dc30c49ec36abaf6a170e92adeb29b8 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Mon, 13 Apr 2015 14:10:24 +0200 Subject: [PATCH 4/6] Wizard: Differentiate between privileges required to create and setup a db Fixes the bug that if a database and a login are already existing and only the schema needs to be set up, which is possible using the resource's login, the user is required to provide another login with the seemingly missing privileges. refs #8707 --- modules/setup/library/Setup/Utils/DbTool.php | 17 ++++++----- modules/setup/library/Setup/WebWizard.php | 32 ++++++++++++++------ 2 files changed, 32 insertions(+), 17 deletions(-) diff --git a/modules/setup/library/Setup/Utils/DbTool.php b/modules/setup/library/Setup/Utils/DbTool.php index b08f42bf8..3073778c8 100644 --- a/modules/setup/library/Setup/Utils/DbTool.php +++ b/modules/setup/library/Setup/Utils/DbTool.php @@ -721,7 +721,8 @@ EOD; foreach (array_intersect($privileges, array_keys($this->pgsqlGrantContexts)) as $privilege) { if (false === empty($context) && $this->pgsqlGrantContexts[$privilege] & static::TABLE_LEVEL) { $tablePrivileges[] = $privilege; - } elseif ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) { + } + if ($this->pgsqlGrantContexts[$privilege] & static::DATABASE_LEVEL) { $dbPrivileges[] = $privilege; } } @@ -760,14 +761,14 @@ EOD; // connected to the database defined in the resource configuration it is safe to just ignore them // as the chances are very high that the database is created later causing the current user being // the owner with ALL privileges. (Which in turn can be granted to others.) - } - if (array_search('CREATE', $privileges) !== false) { - $query = $this->query( - 'select rolcreatedb from pg_roles where rolname = :user', - array(':user' => $username !== null ? $username : $this->config['username']) - ); - $privilegesGranted &= $query->fetchColumn() !== false; + if (array_search('CREATE', $privileges) !== false) { + $query = $this->query( + 'select rolcreatedb from pg_roles where rolname = :user', + array(':user' => $username !== null ? $username : $this->config['username']) + ); + $privilegesGranted &= $query->fetchColumn() !== false; + } } if (array_search('CREATEROLE', $privileges) !== false) { diff --git a/modules/setup/library/Setup/WebWizard.php b/modules/setup/library/Setup/WebWizard.php index afe791732..1180379bb 100644 --- a/modules/setup/library/Setup/WebWizard.php +++ b/modules/setup/library/Setup/WebWizard.php @@ -17,7 +17,7 @@ use Icinga\Module\Setup\Forms\PreferencesPage; use Icinga\Module\Setup\Forms\AuthBackendPage; use Icinga\Module\Setup\Forms\AdminAccountPage; use Icinga\Module\Setup\Forms\LdapDiscoveryPage; -use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage; +//use Icinga\Module\Setup\Forms\LdapDiscoveryConfirmPage; use Icinga\Module\Setup\Forms\LdapResourcePage; use Icinga\Module\Setup\Forms\RequirementsPage; use Icinga\Module\Setup\Forms\GeneralConfigPage; @@ -41,6 +41,17 @@ use Icinga\Module\Setup\Requirement\ConfigDirectoryRequirement; */ class WebWizard extends Wizard implements SetupWizard { + /** + * The privileges required by Icinga Web 2 to create the database and a login + * + * @var array + */ + protected $databaseCreationPrivileges = array( + 'CREATE', + 'CREATE USER', // MySQL + 'CREATEROLE' // PostgreSQL + ); + /** * The privileges required by Icinga Web 2 to setup the database * @@ -48,10 +59,8 @@ class WebWizard extends Wizard implements SetupWizard */ protected $databaseSetupPrivileges = array( 'CREATE', - 'ALTER', - 'REFERENCES', - 'CREATE USER', // MySQL - 'CREATEROLE' // PostgreSQL + 'ALTER', // MySQL only + 'REFERENCES' ); /** @@ -148,7 +157,9 @@ class WebWizard extends Wizard implements SetupWizard $page->setResourceConfig($this->getPageData('setup_ldap_resource')); } } elseif ($page->getName() === 'setup_database_creation') { - $page->setDatabaseSetupPrivileges($this->databaseSetupPrivileges); + $page->setDatabaseSetupPrivileges( + array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges) + ); $page->setDatabaseUsagePrivileges($this->databaseUsagePrivileges); $page->setResourceConfig($this->getPageData('setup_db_resource')); } elseif ($page->getName() === 'setup_summary') { @@ -211,8 +222,8 @@ class WebWizard extends Wizard implements SetupWizard try { $db->connectToDb(); // Are we able to login on the database? if (array_search(key($this->databaseTables), $db->listTables()) === false) { - // In case the database schema does not yet exist the user - // needs the privileges to create and setup the database + // In case the database schema does not yet exist the + // user needs the privileges to setup the database $skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables); } else { // In case the database schema exists the user needs the required privileges @@ -224,7 +235,10 @@ class WebWizard extends Wizard implements SetupWizard $db->connectToHost(); // Are we able to login on the server? // It is not possible to reliably determine whether a database exists or not if a user can't // log in to the database, so we just require the user to be able to create the database - $skip = $db->checkPrivileges($this->databaseSetupPrivileges, $this->databaseTables); + $skip = $db->checkPrivileges( + array_merge($this->databaseCreationPrivileges, $this->databaseSetupPrivileges), + $this->databaseTables + ); } catch (PDOException $_) { // We are NOT able to login on the server.. } From e0891aedca366a9ba15b0ac8822a119ba30d7d28 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Mon, 13 Apr 2015 14:13:02 +0200 Subject: [PATCH 5/6] DbTool: Add mysql context identifiers for the REFERENCES privilege Though this privilege is not in use until mysql version 5.7.6 it is registered as privilege in the privilege tables in earlier versions. refs #8707 --- modules/setup/library/Setup/Utils/DbTool.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setup/library/Setup/Utils/DbTool.php b/modules/setup/library/Setup/Utils/DbTool.php index 3073778c8..3e5fb479c 100644 --- a/modules/setup/library/Setup/Utils/DbTool.php +++ b/modules/setup/library/Setup/Utils/DbTool.php @@ -78,7 +78,7 @@ class DbTool 'INSERT' => 29, 'LOCK TABLES' => 5, 'PROCESS' => 1, - 'REFERENCES' => 0, + 'REFERENCES' => 12, 'RELOAD' => 1, 'REPLICATION CLIENT' => 1, 'REPLICATION SLAVE' => 1, From a21d54460db20e924415d85467cb81bfa41cdc02 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Mon, 13 Apr 2015 14:17:18 +0200 Subject: [PATCH 6/6] DbTool: Fix that all mysql privileges were checked regardless of their context refs #8707 --- modules/setup/library/Setup/Utils/DbTool.php | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/modules/setup/library/Setup/Utils/DbTool.php b/modules/setup/library/Setup/Utils/DbTool.php index 3e5fb479c..ae2fcc38f 100644 --- a/modules/setup/library/Setup/Utils/DbTool.php +++ b/modules/setup/library/Setup/Utils/DbTool.php @@ -629,10 +629,6 @@ EOD; $mysqlPrivileges = array_intersect($privileges, array_keys($this->mysqlGrantContexts)); list($_, $host) = explode('@', $this->query('select current_user()')->fetchColumn()); $grantee = "'" . ($username === null ? $this->config['username'] : $username) . "'@'" . $host . "'"; - $privilegeCondition = sprintf( - 'privilege_type IN (%s)', - join(',', array_map(array($this, 'quote'), $mysqlPrivileges)) - ); if (isset($this->config['dbname'])) { $dbPrivileges = array(); @@ -653,7 +649,7 @@ EOD; . ' FROM information_schema.schema_privileges' . ' WHERE grantee = :grantee' . ' AND table_schema = :dbname' - . ' AND ' . $privilegeCondition + . ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $dbPrivileges)) . ')' . ($requireGrants ? " AND is_grantable = 'YES'" : ''), array(':grantee' => $grantee, ':dbname' => $this->config['dbname']) ); @@ -666,14 +662,13 @@ EOD; !$dbPrivilegesGranted || array_intersect($dbPrivileges, $tablePrivileges) != $tablePrivileges ) ) { - $tableCondition = 'table_name IN (' . join(',', array_map(array($this, 'quote'), $context)) . ')'; $query = $this->query( 'SELECT COUNT(*) as matches' . ' FROM information_schema.table_privileges' . ' WHERE grantee = :grantee' . ' AND table_schema = :dbname' - . ' AND ' . $tableCondition - . ' AND ' . $privilegeCondition + . ' AND table_name IN (' . join(',', array_map(array($this, 'quote'), $context)) . ')' + . ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $tablePrivileges)) . ')' . ($requireGrants ? " AND is_grantable = 'YES'" : ''), array(':grantee' => $grantee, ':dbname' => $this->config['dbname']) ); @@ -688,7 +683,8 @@ EOD; $query = $this->query( 'SELECT COUNT(*) as matches FROM information_schema.user_privileges WHERE grantee = :grantee' - . ' AND ' . $privilegeCondition . ($requireGrants ? " AND is_grantable = 'YES'" : ''), + . ' AND privilege_type IN (' . join(',', array_map(array($this, 'quote'), $mysqlPrivileges)) . ')' + . ($requireGrants ? " AND is_grantable = 'YES'" : ''), array(':grantee' => $grantee) ); return (int) $query->fetchObject()->matches === count($mysqlPrivileges);